Token endpoint auth method to specify the way of authenticating OAuth 2.0 clients at the token endpoint.

There are multiple ways of authenticating OAuth 2.0 clients at the token endpoint

• HTTP Basic Authorization (client_secret_basic) – the OAuth 2.0 Client ID and secret are sent in the HTTP Header (Authorization: basic ….)
• HTTP Body (client_secret_post) – the OAuth 2.0 Client ID and secret are sent in the POST body (Content-Type: application/x-www-form-urlencoded)

Both are valid schemes. But the OAuth 2.0 Client has to be configured to allow either of the one.

If the client app is allowed to authorize using HTTP Basic Authorization but you try to authorize with the client credentials in the POST body, the authentication process will fail.

With client_secret_basic, you have to put the encoded app id and app secret in the basic header.

1. Given an app credentials with id = 7590139168389961, and secret = tfSl0c6VFv3fAB_z9F-m22IhEnmwq6ew
2. Join them with a semi-colon we have

7590139168389961:tfSl0c6VFv3fAB_z9F-m22IhEnmwq6ew

3. Encode the result with Base64 we have

NzU5MDEzOTE2ODM4OTk2MTp0ZlNsMGM2VkZ2M2ZBQl96OUYtbTIySWhFbm13cTZldw==

4. Put the encoded string in Authorization header, with proper Content-Type header and prefix Basic

curl --location --request POST 'https://api.tiki.vn/sc/oauth2/token' \
--header 'Accept: application/json' \
--header 'Authorization: Basic NzU5MDEzOTE2ODM4OTk2MTp0ZlNsMGM2...' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=7590139168389961' \
--data-urlencode <... flow required params ...>

With client_secret_post, you have to put the app secret in the body with the key ‘client_secret’

curl --location --request POST 'https://api.tiki.vn/sc/oauth2/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=7590139168389961' \
--data-urlencode 'client_secret=tfSl0c6VFv3fAB_z9F-m22IhEnmwq6ew'